[#8470] removed config globlas for csp and updated middleware code
diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index 5895459..65279bb 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -662,28 +662,6 @@
def commit_statuses_enabled(self):
return asbool(config['scm.commit_statuses'])
- @property
- def csp_report_mode(self):
- if config.get('csp.report_mode'):
- return asbool(config['csp.report_mode'])
- return False
-
- @property
- def csp_report_uri(self):
- if config.get('csp.report_uri'):
- return config['csp.report_uri']
- return None
- @property
- def csp_report_uri_enforce(self):
- if config.get('csp.report_uri_enforce'):
- return config['csp.report_uri_enforce']
- return None
- @property
- def csp_report_enforce(self):
- if config.get('csp.report_enforce_mode'):
- return True
- return False
-
class Icon:
def __init__(self, css, title=None):
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 7665f64..8974734 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -22,7 +22,7 @@
import tg
import pkg_resources
from paste import fileapp
-from paste.deploy.converters import aslist
+from paste.deploy.converters import aslist, asbool
from tg import tmpl_context as c
from tg.support.middlewares import _call_wsgi_application as call_wsgi_application
from timermiddleware import Timer, TimerMiddleware
@@ -470,29 +470,33 @@
resp = req.get_response(self.app)
rules = resp.headers.getall('Content-Security-Policy')
report_rules = resp.headers.getall('Content-Security-Policy-Report-Only')
-
+ report_mode = asbool(self.config.get('csp.report_mode',False))
+ report_enforce_mode = asbool(self.config.get('csp.report_enforce_mode',False))
+ report_uri = self.config.get('csp.report_uri', None)
+ report_uri_enforce = self.config.get('csp.report_uri_enforce', None)
+
if rules:
resp.headers.pop('Content-Security-Policy')
if report_rules:
resp.headers.pop('Content-Security-Policy-Report-Only')
- if g.csp_report_mode and g.csp_report_uri:
- report_rules.append(f'report-uri {g.csp_report_uri}; report-to {g.csp_report_uri}')
+ if report_mode and report_uri:
+ report_rules.append(f'report-uri {report_uri}; report-to {report_uri}')
if self.config['base_url'].startswith('https'):
rules.append('upgrade-insecure-requests')
- if g.csp_report_enforce and g.csp_report_uri_enforce:
- rules.append(f'report-uri {g.csp_report_uri_enforce}; report-to {g.csp_report_uri_enforce:}')
+ if report_enforce_mode and report_uri_enforce:
+ rules.append(f'report-uri {report_uri_enforce}; report-to {report_uri_enforce:}')
if self.config.get('csp.frame_sources'):
- if g.csp_report_mode:
+ if report_mode:
report_rules.append(f"frame-src {self.config['csp.frame_sources']}")
else:
rules.append(f"frame-src {self.config['csp.frame_sources']}")
if self.config.get('csp.form_action_urls'):
- if g.csp_report_mode:
+ if report_mode:
report_rules.append(f"form-action {self.config['csp.form_action_urls']}")
else:
rules.append(f"form-action {self.config['csp.form_action_urls']}")